New
#1
Event Viewer: Who logged in? Why am I seeing myself as "remote"?
I want the input from people who understand what the Event Viewer logs (Win 7 Enterprise) actually mean. Auditing is already enabled on my machine so it does have some logs.
Under Windows Logs/Security, I get many "Audit Success" logs with various Event IDs and Task category. I am not sure what to ignore and what to count. The accounts I use are a local admin account and a domain user account. But I see countless logins from, for example: the computer's name itself, SYSTEM (domain NT Authority) and something called SophosSAUSETUPPCO.
Are remote logons logged here? I also checked under Windows Logs/Microsoft/Windows for possible login information logs in the following directories:
Then I looked here:RemoteApp and Desktop Connections: There's nothing stored here
RemoteAssistance: There's random logs here but only from a user called SYSTEM
RemoteDesktopServices-RdpCoreTS: There's nothing stored here
RemoteDesktopServices-RemoteDesktopSessionManager: There's nothing stored here
This is where I'm a bit confused. Firstly, why are they all logged as "Remote Desktop Services" when I am logging into the accounts locally?TerminalServices-LocalSessionManager: For some reason, nothing was logged here in between 22nd of last month and the 2nd of this month. All the logs I've checked here are from the two users I use myself.
Secondly, why are logs missing for some dates? I've noticed a pattern of them missing on or around weekends. However, that is not always true. However, how are logs here between the evening of 22/03 and the morning of 02/04 non-existent? I also noticed this same gap from: 31st Jan to 7th Feb, Jan 11th to 16th and again from 16th to 23rd.
I also looked under :
Like the previous one, logs are sometimes missing during the weekend period. Logs here seem to be missing between: 22/03 and 03/04, 30th Jan to 7th Feb, Jan 11th to 25th and then 25th to 30th. There's also no logs present between 7th Jan and 11th.TerminalServices-RemoteConnectionManager: All the logs here seem to be from users SYSTEM and NETWORK SERVICE.
I'd really appreciate it if someone helped me understand these things better. I wish to find out if someone else has been accessing/using this machine remotely. Any help is greatly appreciated.